XPinstall whitelist additions [xpinstall not working]



15 years ago
4 years ago


(Reporter: dveditz, Assigned: dveditz)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)




15 years ago
bug 240552 added a whitelist to XPInstall. For the Mozilla suite the point was
not to restrict functionality from friendly sites but to protect against unknown
malicious sites. Since the XPInstall confirmation dialog will still always show
up as the main security measure I'm happy adding additional mozilla developer
sites in the short term. Unfortunately I didn't get any nominations in that bug
before I fixed it, so this bug will hold those.

Long term we will have a UI solution (bug 241705).

I'll start off with www.hacksrus.com, host to the active development versions of
chatzilla and venkman. Do we want to add that one (opening it up to all members
of hacksrus, not just ginda), or figure people who want it are smart enough to
add it on their own?

Comment 1

15 years ago
Should we add bugzilla.mozilla.org to the -BLACK-list? Makes testcases harder to
deal with but too many people can add content here. Since you can't add script
to a bug comment I think you'd have to be able to add an attachment to take
advantage. But if you can add an attachment then it'd be easy. :-(


15 years ago
Blocks: 246122
I have a list of extensions I install with every upgrade, so here are the ones
bug 240552 affected:
<http://www.mozcafe.com/> contains additional spellchecker languages, as well as
a splash.xpi that changes the splash screen.

<http://tecwizards.de/mozilla/> contains the "paste and go" extension.

<http://3rdhand.info/mozilla/home/> contains the ever popular "Home button" add-on.

<http://cgi29.plala.or.jp/%7Emozzarel/> contains a few add-ons, like the
Bookmarks Link Checker, and the Browser Spell Checker (for text fields and web

and of course
<http://white.sakura.ne.jp/%7Epiro/xul/xul.html.en> contains many extensions,
like Tabbrowser Extension.

I've also got a small site <http://ilias.ca/>, that hosts prefsize.xpi, which
makes the preferences window resizable.
A few more:
<http://skypilot.projectit.com/> hosts the skypilot theme

<http://projectit.com/freestuff.html> hosts many themes, which seem to reside on

<http://www.java.com/en/download/manual.jsp> Sun makes JRE available through XPI.
And of course, there's the Extensions Mirror by sboulema:


Big vote now for that one.

Comment 5

15 years ago
Yep my site deserves a entry in the list i guess ;)

Comment 6

15 years ago
Pinball and GrayModern themes for Mozilla


Theme installation is blocked unnecessarily. Themes can't contain executable
code when installed from a jar file. Anyway, until this issue is resolved, theme
pages should be included in the whitelist.

Comment 7

15 years ago
InstallTrigger.installChrome() can install more than just skins, unfortunately,
but I agree that themes are not as dangerous as the rest. I guess it wouldn't be
too hard a change though.

Comment 8

15 years ago
My themes are located at
http://www.cs.txstate.edu/~as1130/themes/*theme_name*/theme.jar, so would adding
http://www.cs.txstate.edu/~as1130/themes/ to the whitelist be adequate?  I use a
redirection service (http://www.mozthemes.tk) that points to
http://www.cs.txstate.edu/~as1130/themes/, but I don't know if the redirection
service would mess up the XPInstall...

Comment 9

15 years ago
if my site http://www.extensionsmirror.nl/ gets added will
http://extensions.extensionsmirror.nl and http://themes.extensionsmirror.nl also
be white listed. if not please add them to the list

Comment 11

15 years ago
My theme files are located at:

I included both the root domain and the www. prefix, not knowing exactly how your whitelist is handled.

Comment 13

15 years ago
Red Cats and Curacao themes for Firefox:

Comment 14

15 years ago
The problem with sites like http://isp.com/~member/ is that we can't whitelist
just the one member. Do we trust that a scumware vendor wouldn't be willing to
sign up for an account on one of our default whitelisted sites if that meant
they could get around the restriction on pushing their wares?

I think we need to give up on whitelisting additions, there are just too many
sites to be fair. Letting theme installs bypass the whitelist restriction will
help tremendously -- that should be step one. After that we should just get the
UI  implemented so people can easily restart blocked installs and whitelist
their own favorites.

Comment 15

15 years ago
ContextMenu Extensions
Tabbrowser Extensions
Sidebar Window for Mozilla & Netscape 7
Rewind/Fastforward Buttons + more
(kinda hard to avoid this guy :)

User Agent Switcher
Web Developer
(web dev toolbox supreme)
For plugins, I'd suggest adding the following:

java.sun.com (Java)
java.com (Java)
parallelgraphics.com (Cortona VRML)
host.cycore.net (Cult3D)
bxwa.com (FastBid)
ipix.com (iPIX)
virtools.com (Virtools Web Player, untested and not on PluginDoc at present)

Food for thought:
iol.ie (ActiveX plugin, as much as I hate the thing)
netscape.com (tends to have interesting XPIs from time to time)

With the exception of iol.ie and netscape.com, all the sites above are vendor
sites, so the concerns in comment 14 aren't so much of an issue. In the case of
netscape.com, there have often been useful things like Flash XPIs there.

Comment 17

15 years ago
Is there a Firefox version of this bug?  

Comment 19

15 years ago
about theme installation: see Bug 246375

Comment 20

15 years ago
Not sure if this is still valid or not, but better safe than sorry, I suppose.

Future versions of GrayModern for Firefox (and probably the new Modern theme as
well) will be hosted on:


Comment 21

15 years ago
Navigation toolbar and themes for my online classes:

well, http://stud4.tuwien.ac.at/~e0225227/ would be nice... (mng xpi)

...but half of the students at tuwien can host webpages on this server. do you
trust them? :)
I wouldn't mind having my site at http://ted.mielczarek.org/code/mozilla/
whitelisted, but I get the feeling that most people install the extensions from
u.m.o anyway, so it's probably not a big deal.

Comment 24

15 years ago
Well, Firefox now has a handy UI for adding items to your own whitelist.  UMO is
now on it, but *.m.o is not (to avoid bmo).  Everyone is chipping in their
favorite extension and theme sites, but I feel that the number of white listed
sites should be pretty limited.

At some point UMO will allow authors to upload updates to their extensions and
themes.  These will be verified by "staff" before it is approved to be listed.  

In other words, I don't think the white-list needs to contain anything other
than UMO.

Comment 25

15 years ago
wontfix, instead we need a decent UI (such as the one Firefox has added) that
lets people create their own custom whitelist. See also bug 246375 (don't
require whitelisting for theme installs).
Closed: 15 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.